RADIUS Submethod
RADIUS (Remote Authentication Dial-In User Service) is a protocol for
checking a user's authentication and authorization information from a
remote server. It is originally intended for authenticating dial-in
users, but is also suitable for use with Secure Shell.
In SSH Tectia, RADIUS is implemented as a submethod of Keyboard-Interactive
authentication.
The radius
Keyboard-Interactive submethod requires one or
more RADIUS servers to be configured in the
sshd2_config
file:
AllowedAuthentications keyboard-interactive
...
AuthKbdInt.Optional radius
...
AuthKbdInt.RADIUS.NASIdentifier identifier
AuthKbdInt.RADIUS.Server serveraddress=address,\
nasidentifier=client_identifier,secretfile=filename,timeout=120
|
The AuthKbdInt.RADIUS.NASIdentifier
keyword defines the default
NAS identifier to be used when talking to the RADIUS server.
The AuthKbdInt.RADIUS.Server
keyword defines one RADIUS
server. The server address field is mandatory, other fields are
optional. The address can be an IP address or a DNS name.
The nasidentifier
field overrides the default for this server, if
specified.
The default file for the shared secret is
/etc/ssh2/ssh_radius_nas_secret.dat
.
The default timeout is 23 seconds. This should be usually sufficient, but
if the RADIUS server is expected to take a long time to process the
authentication request, it can be lengthened. The servers are queried
in the order they have been specified, and only one at a time. The
minimum timeout is 7 seconds, and the timeout has a granularity of 8
seconds. The RADIUS server will always be queried for at least the
number of seconds specified in the timeout parameter.
The supported RADIUS servers are the FreeRADIUS server and Microsoft IAS
(Internet Authentication Service) server. The following sections contain
advice on configuring them to interoperate with SSH Tectia Server.
FreeRADIUS Server Configuration
Configure the client (SSH Tectia Server) in /etc/freeradius/clients.conf
with
the proper IP address and nastype = other
. The FreeRADIUS server
can be instructed to check the users agains the system's main
passwd
file with the following in /etc/freeradius/users
:
DEFAULT Auth-Type = System, Fall-Through = 1
|
In /etc/freeradius/radiusd.conf
, PAP must be configured to
be available for authentication. See the FreeRADIUS documentation
for further details.
IAS Server Configuration
For SSH Tectia Server to interoperate with Microsoft IAS, following must be
done:
- Requiring Signature Attribute must be switched off in IAS.
- Dial-In must be allowed in the user's properties.
- PAP authentication must be allowed in IAS.
Note: SSH Communications Security does not provide technical
support on how to configure RADIUS. Our support only covers SSH Tectia
applications.